1
I am new to snort rules and need a rule that will alert any email from a specific user.. For example:
alert tcp any any -> any 25 (msg:"Target Email Detected"; content:"email@thatemail.com"; fast_pattern:only; nocase; classtype: Target Email Detected ;sid:12345 ;)
This rule as of now will sniff it if it is in the content, but mail from the email above is not alerted.
ThatGuy
Posted 2011-10-18T14:55:05.070
Reputation: 11
0
Your rule looks good for the most part. I believe the problem has to do with your sid mapping / classtype. If you define a new classtype as you have done there are additional configuration options that need to be set - in this case it is much easier to recycle something existing. I would suggest using a classtype of policy-violation.
RE: Comment The content field searches the entire body of the packet it sees. It shouldn't be a PCRE issue. You might want to look at assembling the stream. It might be that the string you are searching for is being broken between packets. Try firing up Wireshark and capturing the exact packets you want.
Tim Brigham
Posted 2011-10-18T14:55:05.070
Reputation: 1 102
I created the custom classtype and it works ok, I feel its something with it not capturing mail headers right or something, would a pcre be needed? – ThatGuy – 2011-10-18T15:30:14.250